1. Field of the Invention
The present invention relates to encrypted packet processing devices, methods, programs, and program storing media. More particularly, the present invention relates to an encrypted packet processing device and an encrypted packet processing method for performing a predetermined classification process by determining a type of an encrypted packet, and a computer program and a program recording medium for executing the method.
2. Description of the Background Art
In recent years, due to the improvement of the environment for the Internet, a server device and a user terminal device can easily communicate various types of data via the Internet. The above data falls into the following two broad categories: data requiring no real-time processing, such as an application program and an electronic mail (hereinafter, referred to as non real-time data); and data requiring real-time processing, such as video and audio (hereinafter, referred to as real-time data). In the case where the above-described two types of data are processed all together, there is a possibility that video/audio may be stopped or lost, for example, if processing of real-time data is delayed. Therefore, the user terminal device, etc., preferably classifies input data into real-time data and non real-time data, and processes the real-time data preferentially over the non real-time data. In general, the above classification process is performed based on specific information indicating a data type, etc.
On the other hand, in conjunction with the spread of easy communications of various data between the server device and the user terminal device, there is a growing need for private line levels of security in the electronic commerce and electronic payment fields, for example, where information of special importance or information related to individual privacy is communicated. There exist various types of methods for providing high levels of security (e.g., see Japanese Patent Laid-Open Publication No. 2002-182560 and Japanese Patent Laid-Open Publication No. 2001-344228), of which IPsec (Internet Protocol Security) technology can be taken as one example of a typical method for providing high levels of security.
The IPsec is a security protocol performing encryption and authentication in a network layer (a third layer of an OSI reference model), and is standardized by Internet Engineering Task Force (IETF). By connecting a user terminal device installed with the IPsec function to the Internet, or connecting a user terminal device to the Internet via a network connecting device (e.g., a modem or a router) installed with the IPsec function, it is possible to establish a virtual private network (VPN) on a wide area network such as the Internet. That is, a user can use the Internet safely without the need for performing special processing such as encryption.
In order to perform communication using IPsec, it is necessary to cause the transmitting and receiving end devices installed with the IPsec function to previously agree on which information, such as an encryption algorithm, an authentication algorithm, an encryption key, and an authentication key, is used for communication. The above-described information is referred to as security parameters, including an encryption algorithm, an encryption key, an authentication algorithm, an authentication key, a Security Parameter Index (SPI) value, a protocol (e.g., ESP for encryption, and AH for authentication), and a mode (transport or tunnel), or the like. In general, in order to cause the transmitting and receiving end devices to agree on which security parameters to use, communication is performed between the devices by an application called Internet Key Exchange (IKE). The security parameters, which are agreed on by the transmitting and receiving end devices to use after communicating with each other, are kept as a set of security related information called Security Association (SA), and are notified to an IPsec processing section in each device. Based on the encryption algorithm, the authentication algorithm, the encryption key, and the authentication key, etc., defined by SA, the IPsec processing section converts an IP packet to be transmitted into an IPsec packet, and restores a received IPsec packet to the original IP packet.
IPsec can be run in transport mode and tunnel mode. In transport mode, as shown in FIG. 16, a protocol header and data of a fourth or higher level layer such as transmission control protocol (TCP) or user diagram protocol (UDP) (higher than an IP protocol), which are included in a packet to be encrypted, are encrypted. Also, in tunnel mode, as shown in FIG. 17, the entire IP packet to be encrypted is encrypted, and is encapsulated by a new IP packet. Thus, in tunnel mode, the entire portion of the original IP packet (including a protocol header and data of a fourth or higher level layer) is encrypted.
Here, a case in which the above-described classification process is performed for an IP packet encrypted in either transport or tunnel mode (i.e., an IPsec packet) will be described. In this case, specific information necessary for determination of a data type corresponds to the encrypted protocol header and data. Thus, in order to determine a data type, it is necessary to decrypt the entire IPsec packet. Hereinafter, a conventional device for classifying the IPsec packet based on the data type, and performing priority processing in accordance with the classification will be described. FIG. 18 is a block diagram showing an exemplary structure of a conventional processing device 200.
In FIG. 18, the conventional processing device 200 includes an input processing section 201, an encryption determination section 202, a decryption processing section 203, a security association database (SAD) 204, a priority level determination section 205, a priority level information DB 206, and an output processing section 207. The SAD 204 is a database in which information about various SA security parameters is stored. The priority level information DB 206 is a database in which a set of specific information and a previously-determined priority level is stored.
The input processing section 201, which is, for example, a network interface, inputs an incoming IP packet. The encryption determination section 202 refers to header information of the IP packet input by the input processing section 201, and determines whether or not the IP packet is encrypted, that is, whether or not the input packet is an IPsec packet. The decryption processing section 203 extracts, from the header information, SA information about encryption performed for the IPsec packet determined by the encryption determination section 202. Next, the decryption processing section 203 searches the SAD 204 using the extracted information as a key, and obtains security parameters corresponding to the extracted information. Based on the obtained security parameters, the decryption processing section 203 decrypts all encryption performed for the IPsec packet. The priority level determination section 205 checks a type of the IPsec packet in accordance with the specific information included in the IPsec packet decrypted by the decryption processing section 203, and determines a classification (i.e., a priority level) of the IPsec packet by searching the priority level information DB 206 using the type as a key. The output processing section 207 executes a predetermined output process in accordance with the priority level determined by the priority level determination section 205. For example, the output processing section 207 may be composed of a plurality of processing queues provided for each priority level, thereby changing a processing queue used for queuing in accordance with the determined priority level.
By the above-described process, priority processing based on the data type can be realized even in a communication environment in which an encrypted real-time data packet exists in conjunction with an encrypted non real-time data packet.
In general, packet encryption and decryption require a lot of processing time. Thus, in the above-described conventional device employing a method of decrypting all encryption performed for a packet, a processing device has to spend a lot of time in processing. As a result, there arises a problem that packet processing may be delayed, for example, if encrypted packets arrive consecutively. Such processing delay renders priority processing meaningless.